Talos Vulnerability Report

TALOS-2018-0725

March 26, 2019

CVE Number

CVE-2018-4051

Summary

An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy's Games, version 1.2.47 for macOS. An attacker can globally create directories and subdirectories on the root file system, as well as change the permissions of existing directories.

Tested Versions

Gog Galaxy 1.2.47 (macOS)

Product URLs

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-19: Improper Input Validation

Details

GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy installs a helper tool service with root privileges. This tool listens for connections and uses the provided protocol to dispatch functionality out.

The vulnerability arises in the createFolderAtPath. This function takes a path as its first argument and creates a folder at that location. The function also builds any nested directories that are needed. These directories are owned by a root wheel, but have global read write and execute set abilities. This creates a privilege escalation vulnerability, allowing an attacker to modify the root file system.